chore: add current provisioning state before migration

taskservs/containerd/default/_config.toml

@@ -0,0 +1,254 @@
+# Use config version 2 to enable new configuration fields.
+# Config file is parsed as version 1 by default.
+# Version 2 uses long plugin names, i.e. "io.containerd.grpc.v1.cri" vs "cri".
+version = 2
+
+# The 'plugins."io.containerd.grpc.v1.cri"' table contains all of the server options.
+[plugins."io.containerd.grpc.v1.cri"]
+
+  # disable_tcp_service disables serving CRI on the TCP server.
+  # Note that a TCP server is enabled for containerd if TCPAddress is set in section [grpc].
+  disable_tcp_service = true
+
+  # stream_server_address is the ip address streaming server is listening on.
+  stream_server_address = "127.0.0.1"
+
+  # stream_server_port is the port streaming server is listening on.
+  stream_server_port = "0"
+
+  # stream_idle_timeout is the maximum time a streaming connection can be
+  # idle before the connection is automatically closed.
+  # The string is in the golang duration format, see:
+  #   https://golang.org/pkg/time/#ParseDuration
+  stream_idle_timeout = "4h"
+
+  # enable_selinux indicates to enable the selinux support.
+  enable_selinux = false
+
+  # selinux_category_range allows the upper bound on the category range to be set.
+  # if not specified or set to 0, defaults to 1024 from the selinux package.
+  selinux_category_range = 1024
+
+  # sandbox_image is the image used by sandbox container.
+  sandbox_image = "k8s.gcr.io/pause:3.2"
+
+  # stats_collect_period is the period (in seconds) of snapshots stats collection.
+  stats_collect_period = 10
+
+  # enable_tls_streaming enables the TLS streaming support.
+  # It generates a self-sign certificate unless the following x509_key_pair_streaming are both set.
+  enable_tls_streaming = false
+
+  # tolerate_missing_hugetlb_controller if set to false will error out on create/update
+  # container requests with huge page limits if the cgroup controller for hugepages is not present.
+  # This helps with supporting Kubernetes <=1.18 out of the box. (default is `true`)
+  tolerate_missing_hugetlb_controller = true
+
+  # ignore_image_defined_volumes ignores volumes defined by the image. Useful for better resource
+	# isolation, security and early detection of issues in the mount configuration when using
+	# ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.
+  ignore_image_defined_volumes = false
+
+  # 'plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming' contains a x509 valid key pair to stream with tls.
+  [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
+    # tls_cert_file is the filepath to the certificate paired with the "tls_key_file"
+    tls_cert_file = ""
+
+    # tls_key_file is the filepath to the private key paired with the "tls_cert_file"
+    tls_key_file = ""
+
+  # max_container_log_line_size is the maximum log line size in bytes for a container.
+  # Log line longer than the limit will be split into multiple lines. -1 means no
+  # limit.
+  max_container_log_line_size = 16384
+
+  # disable_cgroup indicates to disable the cgroup support.
+  # This is useful when the daemon does not have permission to access cgroup.
+  disable_cgroup = false
+
+  # disable_apparmor indicates to disable the apparmor support.
+  # This is useful when the daemon does not have permission to access apparmor.
+  disable_apparmor = false
+
+  # restrict_oom_score_adj indicates to limit the lower bound of OOMScoreAdj to
+  # the containerd's current OOMScoreAdj.
+  # This is useful when the containerd does not have permission to decrease OOMScoreAdj.
+  restrict_oom_score_adj = false
+
+  # max_concurrent_downloads restricts the number of concurrent downloads for each image.
+  max_concurrent_downloads = 3
+
+  # disable_proc_mount disables Kubernetes ProcMount support. This MUST be set to `true`
+  # when using containerd with Kubernetes <=1.11.
+  disable_proc_mount = false
+
+  # unsetSeccompProfile is the profile containerd/cri will use if the provided seccomp profile is
+  # unset (`""`) for a container (default is `unconfined`)
+  unset_seccomp_profile = ""
+
+  # 'plugins."io.containerd.grpc.v1.cri".containerd' contains config related to containerd
+  [plugins."io.containerd.grpc.v1.cri".containerd]
+
+    # snapshotter is the snapshotter used by containerd.
+    snapshotter = "overlayfs"
+
+    # no_pivot disables pivot-root (linux only), required when running a container in a RamDisk with runc.
+    # This only works for runtime type "io.containerd.runtime.v1.linux".
+    no_pivot = false
+
+    # disable_snapshot_annotations disables to pass additional annotations (image
+    # related information) to snapshotters. These annotations are required by
+    # stargz snapshotter (https://github.com/containerd/stargz-snapshotter)
+    disable_snapshot_annotations = false
+
+    # discard_unpacked_layers allows GC to remove layers from the content store after
+    # successfully unpacking these layers to the snapshotter.
+    discard_unpacked_layers = false
+
+    # default_runtime_name is the default runtime name to use.
+    default_runtime_name = "runc"
+
+    # 'plugins."io.containerd.grpc.v1.cri".containerd.default_runtime' is the runtime to use in containerd.
+    # DEPRECATED: use `default_runtime_name` and `plugins."io.containerd.grpc.v1.cri".runtimes` instead.
+    # Remove in containerd 1.4.
+    [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
+
+    # 'plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime' is a runtime to run untrusted workloads on it.
+    # DEPRECATED: use `untrusted` runtime in `plugins."io.containerd.grpc.v1.cri".runtimes` instead.
+    # Remove in containerd 1.4.
+    [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
+
+    # 'plugins."io.containerd.grpc.v1.cri".containerd.runtimes' is a map from CRI RuntimeHandler strings, which specify types
+    # of runtime configurations, to the matching configurations.
+    # In this example, 'runc' is the RuntimeHandler string to match.
+    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+      # runtime_type is the runtime type to use in containerd.
+      # The default value is "io.containerd.runc.v2" since containerd 1.4.
+      # The default value was "io.containerd.runc.v1" in containerd 1.3, "io.containerd.runtime.v1.linux" in prior releases.
+      runtime_type = "io.containerd.runc.v2"
+
+      # pod_annotations is a list of pod annotations passed to both pod
+      # sandbox as well as container OCI annotations. Pod_annotations also
+      # supports golang path match pattern - https://golang.org/pkg/path/#Match.
+      # e.g. ["runc.com.*"], ["*.runc.com"], ["runc.com/*"].
+      #
+      # For the naming convention of annotation keys, please reference:
+      # * Kubernetes: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+      # * OCI: https://github.com/opencontainers/image-spec/blob/master/annotations.md
+      pod_annotations = []
+
+      # container_annotations is a list of container annotations passed through to the OCI config of the containers.
+      # Container annotations in CRI are usually generated by other Kubernetes node components (i.e., not users).
+      # Currently, only device plugins populate the annotations.
+      container_annotations = []
+
+      # privileged_without_host_devices allows overloading the default behaviour of passing host
+      # devices through to privileged containers. This is useful when using a runtime where it does
+      # not make sense to pass host devices to the container when privileged. Defaults to false -
+      # i.e pass host devices through to privileged containers.
+      privileged_without_host_devices = false
+
+      # base_runtime_spec is a file path to a JSON file with the OCI spec that will be used as the base spec that all
+      # container's are created from.
+      # Use containerd's `ctr oci spec > /etc/containerd/cri-base.json` to output initial spec file.
+      # Spec files are loaded at launch, so containerd daemon must be restared on any changes to refresh default specs.
+      # Still running containers and restarted containers will still be using the original spec from which that container was created.
+      base_runtime_spec = ""
+
+      # 'plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options' is options specific to
+      # "io.containerd.runc.v1" and "io.containerd.runc.v2". Its corresponding options type is:
+      #   https://github.com/containerd/containerd/blob/v1.3.2/runtime/v2/runc/options/oci.pb.go#L26 .
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+        # NoPivotRoot disables pivot root when creating a container.
+        NoPivotRoot = false
+
+        # NoNewKeyring disables new keyring for the container.
+        NoNewKeyring = false
+
+        # ShimCgroup places the shim in a cgroup.
+        ShimCgroup = ""
+
+        # IoUid sets the I/O's pipes uid.
+        IoUid = 0
+
+        # IoGid sets the I/O's pipes gid.
+        IoGid = 0
+
+        # BinaryName is the binary name of the runc binary.
+        BinaryName = ""
+
+        # Root is the runc root directory.
+        Root = ""
+
+        # CriuPath is the criu binary path.
+        CriuPath = ""
+
+        # SystemdCgroup enables systemd cgroups.
+        SystemdCgroup = false
+
+        # CriuImagePath is the criu image path
+        CriuImagePath = ""
+
+        # CriuWorkPath is the criu work path.
+        CriuWorkPath = ""
+
+  # 'plugins."io.containerd.grpc.v1.cri".cni' contains config related to cni
+  [plugins."io.containerd.grpc.v1.cri".cni]
+    # bin_dir is the directory in which the binaries for the plugin is kept.
+    bin_dir = "/opt/cni/bin"
+
+    # conf_dir is the directory in which the admin places a CNI conf.
+    conf_dir = "/etc/cni/net.d"
+
+    # max_conf_num specifies the maximum number of CNI plugin config files to
+    # load from the CNI config directory. By default, only 1 CNI plugin config
+    # file will be loaded. If you want to load multiple CNI plugin config files
+    # set max_conf_num to the number desired. Setting max_config_num to 0 is
+    # interpreted as no limit is desired and will result in all CNI plugin
+    # config files being loaded from the CNI config directory.
+    max_conf_num = 1
+
+    # conf_template is the file path of golang template used to generate
+    # cni config.
+    # If this is set, containerd will generate a cni config file from the
+    # template. Otherwise, containerd will wait for the system admin or cni
+    # daemon to drop the config file into the conf_dir.
+    # This is a temporary backward-compatible solution for kubenet users
+    # who don't have a cni daemonset in production yet.
+    # This will be deprecated when kubenet is deprecated.
+    # See the "CNI Config Template" section for more details.
+    conf_template = ""
+
+  # 'plugins."io.containerd.grpc.v1.cri".registry' contains config related to the registry
+  [plugins."io.containerd.grpc.v1.cri".registry]
+
+    # 'plugins."io.containerd.grpc.v1.cri.registry.headers sets the http request headers to send for all registry requests
+    [plugins."io.containerd.grpc.v1.cri".registry.headers]
+        Foo = ["bar"]
+
+    # 'plugins."io.containerd.grpc.v1.cri".registry.mirrors' are namespace to mirror mapping for all namespaces.
+    [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+        endpoint = ["https://registry-1.docker.io", ]
+
+  # 'plugins."io.containerd.grpc.v1.cri".image_decryption' contains config related
+  # to handling decryption of encrypted container images.
+  [plugins."io.containerd.grpc.v1.cri".image_decryption]
+    # key_model defines the name of the key model used for how the cri obtains
+    # keys used for decryption of encrypted container images.
+    # The [decryption document](https://github.com/containerd/cri/blob/master/docs/decryption.md)
+    # contains additional information about the key models available. 
+    #
+    # Set of available string options: {"", "node"}
+    # Omission of this field defaults to the empty string "", which indicates no key model, 
+    # disabling image decryption.
+    #
+    # In order to use the decryption feature, additional configurations must be made.
+    # The [decryption document](https://github.com/containerd/cri/blob/master/docs/decryption.md)
+    # provides information of how to set up stream processors and the containerd imgcrypt decoder
+    # with the appropriate key models.
+    #
+    # Additional information:
+    # * Stream processors: https://github.com/containerd/containerd/blob/master/docs/stream_processors.md
+    # * Containerd imgcrypt: https://github.com/containerd/imgcrypt
+    key_model = "node"

taskservs/containerd/default/containerd.service

@@ -0,0 +1,42 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target
+
+[Service]
+#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
+#Environment="ENABLE_CRI_SANDBOXES=sandboxed"
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target

taskservs/containerd/default/crictl.yaml

@@ -0,0 +1,3 @@
+runtime-endpoint: "unix:///run/containerd/containerd.sock"
+timeout: 0
+debug: false

taskservs/containerd/default/env-containerd.j2

@@ -0,0 +1,5 @@
+{%- if taskserv.name == "kubernetes" %} 
+CONTAINERD_VERSION="{{taskserv.version}}"
+CRICTL_VERSION="{{taskserv.crictl_version}}"
+CRI_SOCKET="unix:///var/run/containerd/containerd.sock"
+{%- endif %}

taskservs/containerd/default/install-containerd.sh

@@ -0,0 +1,147 @@
+#!/bin/bash
+# Info: Script to install/create/delete/update containerd from file settings 
+# Author: JesusPerezLorenzo  
+# Release: 1.0 
+# Date: 12-10-2024
+
+USAGE="install-containerd.sh install | update | remvoe"
+[ "$1" == "-h"  ] && echo "$USAGE"  && exit 1
+
+ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')"
+OS="$(uname | tr '[:upper:]' '[:lower:]')"
+
+[ -r "env-containerd" ] && . ./env-containerd
+
+CONTAINERD_VERSION="${CONTAINERD_VERSION:-1.7.18}"
+CONTAINERD_URL=https://github.com/containerd/containerd/releases/download/v$CONTAINERD_VERSION/containerd-$CONTAINERD_VERSION-$OS-$ARCH.tar.gz
+
+CRICTL_VERSION="${CRICTL_VERSION:-1.28.0}"
+CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/"
+
+CONTAINERD_SYSTEMCTL_MODE=enabled
+
+CMD_TSKSRVC=${1:-install}
+
+export LC_CTYPE=C.UTF-8 
+export LANG=C.UTF-8
+
+ORG=$(pwd)
+
+_clean_others() {
+  [ -d "/etc/cni" ] && sudo rm -r /etc/cni
+  [ -d "/var/lib/containers" ] && sudo rm -r /var/lib/containers
+  sudo rm -f /etc/systemd/system/podman* 2>/dev/null
+}
+_init() {
+  [ -z "$CONTAINERD_VERSION" ] && exit 1  # || [ -z "$CONTAINERD_ARCH" ] || [ -z "$CONTAINERD_URL" ] || [ -z "$CONTAINERD_FILE" ] && exit 1
+  local curr_vers
+  local has_containerd
+  has_containerd=$(type containerd 2>/dev/null)
+  if [ -n "$has_containerd" ]  ; then 
+    curr_vers=$(containerd --version | awk '{print $3}' | sed 's/v//g')
+  else
+    _clean_others
+  fi
+  if [ "$curr_vers" != "$CONTAINERD_VERSION" ] ; then
+    if ! curl -fsSL "$CONTAINERD_URL" -o /tmp/containerd.tar.gz ; then
+      echo "error downloading containerd "
+      return 1 
+    fi
+    tar xzf /tmp/containerd.tar.gz 
+    if [ -r "bin/containerd" ] ; then
+      cd bin || exit 1
+      [ -n "$has_containerd" ] && sudo timeout -k 10 20 systemctl stop containerd 
+      sudo cp * /usr/local/bin
+      cd "$ORG" || exit 1
+    else  
+      echo "error installing containerd"
+      ret=1
+    fi
+    rm -fr cri-o
+    rm -f /tmp/containerd_installer.sh
+    [ "$ret" == 1 ] && return 1 
+  fi
+  curr_vers=$(crictl --version | awk '{print $3}' | sed 's/v//g')
+  if [ "$curr_vers" != "$CRICTL_VERSION" ] ; then
+    if ! curl -fsSL "${CRICTL_URL}/v${CRICTL_VERSION}/crictl-v${CRICTL_VERSION}-${OS}-${ARCH}.tar.gz" -o /tmp/crictl.tar.gz ; then
+      echo "error downloading crictl installer"
+      return 1 
+    fi
+    tar xzf /tmp/crictl.tar.gz 
+    if [ -r "crictl" ] ; then
+      chmod +x crictl 
+      sudo mv crictl /usr/local/bin
+    fi
+    rm -f /tmp/crictl.tar.gz 
+  fi
+  return 0 
+}
+
+_config_containerd() {
+  [ ! -d "/etc/containerd" ] && mkdir -p /etc/containerd 
+  if [ -r "config.toml" ] && [ ! -r "/etc/containerd/config.toml" ] ; then
+    sudo cp config.toml /etc/containerd/config.toml
+  elif [ ! -r "/etc/containerd/config.toml" ] ; then
+    sudo containerd config default | sudo tee /etc/containerd/config.toml >/dev/null
+  fi
+  local youki_path=$(type -p youki 2>/dev/null)
+  if [ -n "$youki_path" ] && [ -x "$youki_path" ] ; then
+    local has_youki=$(grep youki /etc/containerd/config.toml)
+    if [ -z "$has_youki" ] ; then
+      echo '[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.youki]' >> /etc/containerd/config.toml
+      echo '  runtime_type = "io.containerd.runc.v2"' >> /etc/containerd/config.toml
+      echo '   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.youki.options]' >> /etc/containerd/config.toml
+      echo '     BinaryName = "'$youki_path'"' >> /etc/containerd/config.toml
+      sed -i 's,SystemdCgroup = true,,' /etc/containerd/config.toml
+    fi
+  fi
+  if [ -r "crictl.yaml" ] && [ ! -r "/etc/containerd-crictl.yaml" ] ; then
+    sudo cp crictl.yaml /etc/containerd-crictl.yaml
+    sudo cp crictl.yaml /etc/crictl.yaml
+  fi
+  if [ -r "containerd.service" ] && [ ! -r "/lib/systemd/containerd.service" ] ; then
+    sudo cp containerd.service  /lib/systemd/system
+    [ ! -L "/etc/systemd/system/containerd.service" ] && sudo ln -s /lib/systemd/system/containerd.service /etc/systemd/system
+    sudo timeout -k 10 20 systemctl daemon-reload
+  fi
+  TARGET=/etc/modules-load.d/containerd.conf
+  ITEMS="overlay br_netfilter"
+  for it in $ITEMS
+  do 
+    has_item=$(sudo grep ^"$it" $TARGET 2>/dev/null)
+    [ -z "$has_item" ] && echo "$it" | sudo tee -a /etc/modules-load.d/containerd.conf
+  done
+  _start_containerd
+}
+
+_remove_containerd() {
+  sudo timeout -k 10 20 systemctl stop containerd 
+  sudo timeout -k 10 20 systemctl disable containerd 
+}
+
+_start_containerd() {
+  if [ "$CONTAINERD_SYSTEMCTL_MODE" == "enabled" ] ; then 
+    sudo timeout -k 10 20 systemctl enable containerd 
+  else 
+    sudo timeout -k 10 20 systemctl disable containerd 
+  fi
+  sudo timeout -k 10 20 systemctl start containerd
+}
+
+_restart_containerd() {
+  sudo timeout -k 10 20 systemctl restart containerd
+}
+[ "$CMD_TSKSRVC" == "remove" ] && _remove_containerd && exit 0
+if ! _init ; then
+  echo "error containerd install"
+  exit 1
+fi
+[ "$CMD_TSKSRVC"  == "update" ] &&  _restart_containerd && exit 0
+if ! _config_containerd ; then 
+  echo "error containerd config"
+  exit 1
+fi
+if ! _start_containerd ; then 
+  echo "error containerd start"
+  exit 1
+fi

taskservs/containerd/default/provisioning.toml

@@ -0,0 +1,2 @@
+info = "containerd"
+release = "1.0"